【作者】 李华宇；

【导师】 张建州；

【作者基本信息】 四川大学 ， 计算机应用技术， 2003， 硕士

【摘要】 随着信息时代的到来，Internet提供的互联性和开放性使信息的交换与共享成为现实，并为社会带来了巨大的经济效益。然而，信息的安全保密问题也日益突出，保护网络安全，保证信息安全已经成为人们日益关注的核心问题，各种安全防范技术应运而生。VPN(Virtual Private Network，虚拟私有网络)技术提供了一个安全、可信的信道供通信双方使用。技术上说，VPN是指将物理上分布在不同地点的网络，通过公用骨干网连接而形成的逻辑上的虚拟子网。它采用身份认证、存取控制、数据机密性、数据完整性等措施，来保证信息在传输中不被偷看、篡改、复制，以保障信息在Internet上传输的安全性。VPN涉及的技术包括：安全隧道技术，用户认证技术，访问控制技术，加解密技术等。其中最核心的技术是安全隧道技术，目前普遍使用的是利用IPSec协议实现的安全隧道技术。在本文中，首先介绍了VPN体系结构，并与常见的安全技术作了比较；其次，对WSTMK VPN系统的实现技术作了详细的介绍，其中重点介绍了Linux网络体系结构，Netfilter防火墙体系结构，IKE协议，以及PF_KEY协议；然后，重点讨论了WSTMK_VPN系统的实现情况，其中我们着重描述了IPSec内核处理、SAD管理、PF KEY协议等模块的实现；最后，对整个系统的性能作出评断。本系统的技术特点有：1)利用了Linux最新的Netfilter防火墙机制实现IPseC入口函数，达到了代码执行效率高，代码模块化，易于扩展等效果；2）实现了 PF上EY VZ协议进行内核和应用层的通信，具有上层调用方便，代码实现简单等特点。 本系统还有一些地方有待改善，如功能模块的完善和 IKE模块的实现，这些都是今后工作的目标。更多还原

【Abstract】 With the information time coming, the connection and opening provided by Internet have been making the information exchanging and sharing to be realized. So Internet takes great economic benefits for society. However, the security question becomes more and more distinct too. To protect the network security and guarantee the information safe are becoming the core question to people. Therefore, many security technologies have been developed.VPN technology offers a safe and reliant tunnel for both sides in communication. In technology, VPN means the networks locating in the different places are connected by main public networks, which shape the logic networks. To protect the information from pried, modified, copied, and guarantee the security of data in Internet, VPN uses the Authentication, accessing control, data secreting, and data integrity etc.The technologies of VPN are include, security tunnel, user authority, encryption and decryption etc. In them, the core is security tunnel technology. And now the widely used tunnel technology is based on IPSec protocol.First, in this essay, we introduced the architecture of VPN, and compared it with the common security technologies. Second, we illustrate the realization technologies in detail, especially, the Linux network architecture, Netfilter firewallarchitecture, IKE protocol, and PF_KEY protocol. Then we importantly discussed the implementation of the WSTMK_VPN system, especially, the IPSec kernel operating, SAD management, PF_KEY protocol. At last, we evaluate theperformance of the whole system.This system has some characters. For one thing, we use the Netfilter firewall technology to realize the IPSec entrance functions, which can increase the programs efficiency, make the code modular and easy to be expanded. For another, the PF_KEY protocol is used to connect the kernel and the IKE, which could make communication easy, and simplify the code.Of course, this system has some places to be improved, such as the function modules’ simplification, the IKE module, which are the next aims in the future.更多还原